New version of TBB no longer accepts FoxyProxy plugin.

If you choose to upgrade Tor Browser to latest version (6.0) and try to install FoxyProxy plugin, you cannot. The browser will produce an error that it’s not a plugin it expected (probably intended?).

If you choose to install FoxyProxy plugin before upgrading to TBB 6.0, it will be fine. Plugin will stay.

It’s important to point this out as FoxyProxy is probably the main (easiest) option for Whonix user to use proxy with TBB.

Good day,

Because addons like FoxyProxy literally ruin the anonymity the TBB provides, by changing the fingerprint provided, they shouldn’t be used with it. To prevent this from happening, as a lot of people simply don’t know this/don’t care about this, the team behind the TBB apparently decided to attempt to prevent the installation of addons with version 6.0. Seemingly, this doesn’t extend to updated installation.

However, that doesn’t make using FoxyProxy, AdBlock Plus, etc. any less harmful to the anonymity provided.

Have a nice day,

Ego

Where do you install foxyproxy from? Debian repo the FF addon site?

It’s important to point this out as FoxyProxy is probably the main (easiest) option for Whonix user to use proxy with TBB.

Right and more importantly the only option for using alternative anonymizing networks like I2P with TBB.

From the Firefox’s Add-on site.

If FoxyProxy is no longer avail, how do Whonix users continue to use proxy with Tor Browser?

I thought I changed the instructions to point to Debian foxyproxy. Can you link to the steps you followed?

Try these ones and tell me if they work:

https://www.whonix.org/wiki/Template:FoxyProxy

Good day,

Why not use it with Iceweasel? After changing the TBB’s fingerprint with FoxyProxy, there is no reason to use it over Iceweasel with NoScript, etc.

Have a nice day,

Ego

@Ego

Torbutton provides a lot of fingerprinting mitigation besides what addon set you are running. While its true the the TBB fingerprint changes with foxyproxy installed, the trade-off is negligible compared to running a stock browser exposing everything.

Good day,

I know, but like I’ve said:

With NoScript, etc. I meant adding the addons the TBB comes preinstalled with. You can get TorButton outside of the TBB as well after all: The Tor Project / Applications / torbutton · GitLab

Have a nice day,

Ego

Standalone Torbutton has been deprecated a long time. Noscript on its own cannot recreate the many custom patches done by the TBB team all over the Firefox codebase. These prevent fingerprinting of many things about your system even if you must enable JS.

Good day,

The link from above actually gives you access to the newest version, uploaded not even three days ago. Had copied the wrong link before and apperantly the forum displayed the change a bit to late for you to see it, as my post doesn’t even show the “edited-symbol”.

Have a nice day,

Ego

Sorry my reply wasn’t clear enough: Torbutton provides some but not all of TBB protections. For more information see the TBB design doc:

https://www.torproject.org/projects/torbrowser/design/

Until they are upstreamed to Firefox (extremely unlikely because of Mozilla’s business model) this still holds.

The addon on the FF site is very outdated and not from an official source:

Torbutton 1.2.5 vs Torbutton 1.9.5.4

it also isn’t enough. TPO has officially switched from the plugin model to full fledged privacy friendly fork from Firefox.

From: How can we help? | Tor Project | Support

So I’m totally anonymous if I use Tor?

No.

That’s where Tor Browser comes in. We produce a web browser that is preconfigured to help you control the risks to your privacy and anonymity while browsing the Internet. Not only are the above technologies disabled to prevent identity leaks, the Tor Browser also includes browser extensions like NoScript and Torbutton, as well as patches to the Firefox source code. The full design of the Tor Browser can be read here. In designing a safe, secure solution for browsing the web with Tor, we’ve discovered that configuring other browsers to use Tor is unsafe.

Good day,

Obviously you are right there, but most of the other anonymity protection asside from TorButton and NoScript comes from the fingerprint which, after installing FoxyProxy is already lost completley. The changes in source code, metioned at The Design and Implementation of the Tor Browser [DRAFT] are in most cases only a factor when having NoScript deactivated. They contain things like stopping removing WebRTC, tracking of the used hardware, etc. which all are already non issues anymore when using NoScript.

The link in my post is one hosted at torproject.org, the official source. Like mentioned, for some reason you apparently saw a version I never sent away with a wrong URL and where able to quote it, even though it not having been sent or later edited…

Have a nice day,

Ego

Obviously you are right there, but most of the other anonymity
protection asside from TorButton and NoScript comes from the fingerprint
which, after installing FoxyProxy is already lost completley.

That’s not true because the addon is not malicious. All it does is make you stand out from the larger TBB anonymity set as someone who has it installed.

This is not catastrophic by itself and is very useful in scenarios where the rest of TBB protections are otherwise unavailable without it - like running TBB with I2P.

This discussion has taken place in several threads and while the standing recommendation is to use TBB whenever possible, IIUC the debate has not been concluded definitively.

The big problem is that while TBB does the most to protect your browser fingerprint, just by virtue of using TBB with a non-Tor exit node, you are placing yourself into a very small subset of TBB users. (Even more so now.) Can’t comment on TBB + i2p usage, but certainly for using TBB + socks5, that would be a very small minority of users. If you combine that with visiting a relatively light traffic destination, you may be just as pseudonymous as if you had used Iceweasel - only with a false sense of security. Perhaps, it’s better to be purely pseudonymous from the beginning with Iceweasel and design your browsing strategy around that… Since TBB itself is recognizable, you’ll be less conspicuous using Iceweasel.

1 Like

With the extremely high accuracy of fingerprinting techniques used today (of hardware and user behavior) you stand no chance of mixing in. Trackers will pinpoint you out with 100% certainty every click without TBB.

Its still better to take your chances mixing into a small group of Whonix users who use TBB + FoxyProxy with socks5 webproxies than completely sacrificing the pseudoanonymity left given by the setup of this tiny minority.

Good day,

Now, correct me if I’m wrong, but isn’t the whole browser fingerprinting “thing” (for lack of a better word) a bit more complex than that?

If I recall, a browsers fingerprint doesn’t just list your addons, cookies, hardware information, etc. simply in plain like this:

Addons: uBlock, NoScript, FoxyProxy
Hardware: 1920x1080, I5@2,5ghz
Cookies: amazon, google, youtube, etc.

But rather uses all the data to create a value based on them which is unique to you allowing tracking and fingerprinting. And, as far as I’m informed, such a value is freshly created when installing FoxyProxy. So, even if many TBB users use FoxyProxy with it, that doesn’t mean they are just a part of a smaller group. By design, they’d be unique then.

Hasn’t that been the reason why, despite many developers having tried to do so, there has been no way to protect from fingerprinting and tracking without giving many people a predifined and identical value like the TBB does? Like I’ve said, if this is fundamentally wrong I’m sorry, but that is what I’ve been reading time and time again.

Have a nice day,

Ego

That’s my point. The alternative to not using TBB is: Don’t try to mix in with the tiny group of Whonix+TBB+proxy users that raise eyebrows wherever they go. Instead, create a new VM, assume a new identity, and be that identity.

There is more stuff. Cache, canvas, ssl related glitches, time related leaks, and a lot other obscure stuff. The TBB developers are the only keeping an eye on that stuff and trying to cope up with it.

Open issues:

Consider also looking through closed tbb-fingerprinting / tbb-linkability bugs to see other stuff it solves.

I would not want to leak the desktop resolution of that VM and have it correlate with the host or other (non-)anonymous VM.

1 Like

It is.

Information about what plugins you have installed is a very small part of it compared to the mountain of information that any other browser but TBB leak. Patrick gives more details if you are interested.

Please post your source for this information. AFAIK the plugin is Free Software and does not spy on its users.